grafana · Baarsgaard · Sep 24, 2024 · Sep 24, 2024 · Sep 25, 2024 · Sep 25, 2024
@@ -73,6 +73,9 @@ It's easier to just manage this configuration outside of the operator.
 | imagePullSecrets | list | `[]` | image pull secrets |
 | isOpenShift | bool | `false` | Determines if the target cluster is OpenShift. Additional rbac permissions for routes will be added on OpenShift |
 | leaderElect | bool | `false` | If you want to run multiple replicas of the grafana-operator, this is not recommended. |
+| logging.encoder | string | `"console"` | Log encoding (one of 'json' or 'console') |
+| logging.level | string | `"info"` | Configure the verbosity of logging. Can be one of 'debug', 'info', 'error' |
+| logging.time | string | `"epoch"` | Time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano'). |
 | metricsService.metricsPort | int | `9090` | metrics service port |
 | metricsService.pprofPort | int | `8888` | port for the pprof profiling endpoint |
 | metricsService.type | string | `"ClusterIP"` | metrics service type |
@@ -85,19 +88,21 @@ It's easier to just manage this configuration outside of the operator.
 | priorityClassName | string | `""` | pod priority class name |
 | rbac.create | bool | `true` | Specifies whether to create the ClusterRole and ClusterRoleBinding. If "namespaceScope" is true or "watchNamespaces" is set, this will create Role and RoleBinding instead. |
 | resources | object | `{}` | grafana operator container resources |
-| securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | grafana operator container security context |
+| securityContext.allowPrivilegeEscalation | bool | `false` | Disables privilege escalation inside the container |
+| securityContext.capabilities | object | `{"drop":["ALL"]}` | grafana operator does not require default capabilities |
+| securityContext.readOnlyRootFilesystem | bool | `true` | Allow writing to filesystem |
+| securityContext.runAsNonRoot | bool | `true` | Force user to not be root |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
-| serviceMonitor | object | `{"additionalLabels":{},"enabled":false,"interval":"1m","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s","targetLabels":[],"telemetryPath":"/metrics"}` | Enable this to use with Prometheus Operator |
 | serviceMonitor.additionalLabels | object | `{}` | Set of labels to transfer from the Kubernetes Service onto the target |
-| serviceMonitor.enabled | bool | `false` | When set true then use a ServiceMonitor to configure scraping |
+| serviceMonitor.enabled | bool | `false` | Used with Prometheus Operator When true Create a ServiceMonitor to enable metric scraping |
 | serviceMonitor.interval | string | `"1m"` | Set how frequently Prometheus should scrape |
 | serviceMonitor.metricRelabelings | list | `[]` | MetricRelabelConfigs to apply to samples before ingestion |
 | serviceMonitor.relabelings | list | `[]` | Set relabel_configs as per https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config |
 | serviceMonitor.scrapeTimeout | string | `"10s"` | Set timeout for scrape |
 | serviceMonitor.targetLabels | list | `[]` | Set of labels to transfer from the Kubernetes Service onto the target |
 | serviceMonitor.telemetryPath | string | `"/metrics"` | Set path to metrics path |
 | tolerations | list | `[]` | pod tolerations |
-| watchNamespaceSelector | string | `""` | Sets the WATCH_NAMESPACE_SELECTOR environment variable, it defines which namespaces the operator should be listening for based on label and key value pair added on namespace kind. By default it's all namespaces. |
-| watchNamespaces | string | `""` | Sets the WATCH_NAMESPACE environment variable, it defines which namespaces the operator should be listening for. By default it's all namespaces, if you only want to listen for the same namespace as the operator is deployed to look at namespaceScope. |
+| watchNamespaceSelector | string | `""` | Sets the WATCH_NAMESPACE_SELECTOR environment variable, Defines namespaces the operator should be listening for based on label and key value pair added on namespace kind. By default it's all namespaces. |
+| watchNamespaces | string | `""` | Sets the WATCH_NAMESPACE environment variable, Defines namespaces the operator should be listening for. By default it's all namespaces, if you want to limit the Operator to its own namespace, instead set namespaceScope: true. |
@@ -58,6 +58,9 @@ spec:
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=0.0.0.0:{{ .Values.metricsService.metricsPort }}
             - --pprof-addr=0.0.0.0:{{ .Values.metricsService.pprofPort }}
+            - -zap-encoder={{ .Values.logging.encoder | default "console" }}
+            - -zap-log-level={{ .Values.logging.level | default "info" }}
+            - -zap-time-encoding={{ .Values.logging.time | default "epoch" }}
             {{- if .Values.leaderElect }}
             - --leader-elect
             {{- end }}

@@ -6,18 +6,27 @@ namespaceScope: false
 leaderElect: false
 
 # -- Sets the WATCH_NAMESPACE environment variable,
-# it defines which namespaces the operator should be listening for.
-# By default it's all namespaces, if you only want to listen for the same namespace as the operator is deployed to look at namespaceScope.
+# Defines namespaces the operator should be listening for.
+# By default it's all namespaces, if you want to limit the Operator to its own namespace, instead set namespaceScope: true.
 watchNamespaces: ""
 
 # -- Sets the WATCH_NAMESPACE_SELECTOR environment variable,
-# it defines which namespaces the operator should be listening for based on label and key value pair added on namespace kind.
+# Defines namespaces the operator should be listening for based on label and key value pair added on namespace kind.
 # By default it's all namespaces.
 watchNamespaceSelector: ""
 
 # -- Determines if the target cluster is OpenShift. Additional rbac permissions for routes will be added on OpenShift
 isOpenShift: false
 
+# Log options for the Operator
+logging:
+  # -- Log encoding (one of 'json' or 'console')
+  encoder: console
+  # -- Configure the verbosity of logging. Can be one of 'debug', 'info', 'error'
+  level: info
+  # -- Time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano').
+  time: epoch
+
 # -- Additional environment variables
 env: []
   # -- grafana image, e.g. docker.io/grafana/grafana:9.1.6, overwrites the default grafana image defined in the operator
@@ -77,12 +86,17 @@ podAnnotations: {}
 # -- pod security context
 podSecurityContext: {}
 
-# -- grafana operator container security context
+# https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 securityContext:
+  # -- grafana operator does not require default capabilities
   capabilities:
     drop:
       - ALL
+  # -- Disables privilege escalation inside the container
+  allowPrivilegeEscalation: false
+  # -- Allow writing to filesystem
   readOnlyRootFilesystem: true
+  # -- Force user to not be root
   runAsNonRoot: true
 
 # -- grafana operator container resources
@@ -100,9 +114,9 @@ tolerations: []
 # -- pod affinity
 affinity: {}
 
-# -- Enable this to use with Prometheus Operator
 serviceMonitor:
-  # -- When set true then use a ServiceMonitor to configure scraping
+  # -- Used with Prometheus Operator
+  # When true Create a ServiceMonitor to enable metric scraping
   enabled: false
   # -- Set of labels to transfer from the Kubernetes Service onto the target
   additionalLabels: {}

@@ -22,6 +22,9 @@ spec:
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=0.0.0.0:9090
             - --leader-elect
+            - -zap-encoder=console
+            - -zap-log-level=info
+            - -zap-time-encoding=epoch
           image: ghcr.io/grafana/grafana-operator:v5.6.0
           imagePullPolicy: Always
           ports:
@@ -52,7 +55,12 @@ spec:
               cpu: 100m
               memory: 20Mi
           securityContext:
+            capabilities:
+              drop:
+                - ALL
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           volumeMounts:
             - name: dashboards-dir
               mountPath: /tmp/dashboards